From 3880a707f60b87bc7db4c9e776e674e3a59d9a5e Mon Sep 17 00:00:00 2001 From: Bryce McMath <32586431+bryce-mcmath@users.noreply.github.com> Date: Wed, 3 Apr 2024 09:42:12 -0700 Subject: [PATCH] fix: add more logs and fetch fresh google creds each attestation (#40) Signed-off-by: Bryce McMath --- src/apple.py | 8 ++++---- src/constants.py | 5 +++++ src/goog.py | 23 +++++++++++------------ src/traction.py | 35 +++++++++++++++++++++++------------ 4 files changed, 43 insertions(+), 28 deletions(-) diff --git a/src/apple.py b/src/apple.py index 3f2b564..7d92cc1 100644 --- a/src/apple.py +++ b/src/apple.py @@ -80,9 +80,9 @@ def verify_x5c_certificates(attestation_object): attestation_object["attStmt"]["x5c"][1], default_backend() ) - logger.info("root_certificate", root_certificate.subject) - logger.info("credential_certificate", credential_certificate.subject) - logger.info("intermediate_certificate", intermediate_certificate.subject) + logger.info(f"root_certificate: {str(root_certificate.subject)}") + logger.info(f"credential_certificate: {str(credential_certificate.subject)}") + logger.info(f"intermediate_certificate: {str(intermediate_certificate.subject)}") if intermediate_certificate.issuer == root_certificate.subject: logger.info("The child certificate was issued by the parent certificate.") @@ -280,7 +280,7 @@ def verify_attestation_statement(attestation_object, key_id, nonce): return True except Exception as e: - logger.info("Error during Apple attestation:", e) + logger.error(f"Error during Apple attestation: {e}") return False diff --git a/src/constants.py b/src/constants.py index e5e6d1a..4ceb6c1 100644 --- a/src/constants.py +++ b/src/constants.py @@ -17,6 +17,11 @@ class AttestationMethod(Enum): aaguid_end = 53 cred_id_start = 55 +# Google Play Integrity +integrity_scope = "https://www.googleapis.com/auth/playintegrity" +bc_wallet_package_name = "ca.bc.gov.BCWallet" +PLAY_RECOGNIZED = "PLAY_RECOGNIZED" + # Redis auto_expire_nonce = 60 * 10 # 10 minutes diff --git a/src/goog.py b/src/goog.py index e1144fc..4bbe814 100644 --- a/src/goog.py +++ b/src/goog.py @@ -3,6 +3,7 @@ from googleapiclient.discovery import build from google.oauth2 import service_account from dotenv import load_dotenv +from constants import integrity_scope, bc_wallet_package_name, PLAY_RECOGNIZED dev_mode = os.getenv("FLASK_ENV") == "development" allow_test_builds = os.getenv("ALLOW_TEST_BUILDS") == "true" @@ -12,11 +13,6 @@ logging.basicConfig(level=logging.INFO) logger = logging.getLogger(__name__) -path = os.getenv("GOOGLE_AUTH_JSON_PATH") -creds = service_account.Credentials.from_service_account_file( - path, scopes=["https://www.googleapis.com/auth/playintegrity"] -) - # should eventually confirm nonce matches here def isValidVerdict(verdict, nonce): @@ -37,28 +33,31 @@ def isValidVerdict(verdict, nonce): if ( verdict_nonce == nonce - and request_package_name == "ca.bc.gov.BCWallet" - and package_name == "ca.bc.gov.BCWallet" + and request_package_name == bc_wallet_package_name + and package_name == bc_wallet_package_name and set(valid_device_verdicts).issubset(device_verdicts) - and (app_verdict == "PLAY_RECOGNIZED" or allow_test_builds) + and (app_verdict == PLAY_RECOGNIZED or allow_test_builds) ): return True else: return False except Exception as e: - print(e) - logger.info("Error evaluating verdict:", e) + logger.error(f"Error evaluating verdict: {e}") return False # decrypt the integrity token on google's servers def verify_integrity_token(token, nonce): try: + path = os.getenv("GOOGLE_AUTH_JSON_PATH") + creds = service_account.Credentials.from_service_account_file( + path, scopes=[integrity_scope] + ) service = build("playintegrity", "v1", credentials=creds) body = {"integrityToken": token} instance = service.v1() verdict = instance.decodeIntegrityToken( - packageName="ca.bc.gov.BCWallet", body=body + packageName=bc_wallet_package_name, body=body ).execute() if isValidVerdict(verdict, nonce): @@ -66,7 +65,7 @@ def verify_integrity_token(token, nonce): else: return False except Exception as e: - logger.info("Error verifying integrity token:", e) + logger.error(f"Error verifying integrity token: {e}") return False diff --git a/src/traction.py b/src/traction.py index 0816cd0..b382eef 100644 --- a/src/traction.py +++ b/src/traction.py @@ -17,6 +17,7 @@ def fetch_bearer_token(): global bearer_token if bearer_token: + logger.info("Found existing bearer token, returning it") return bearer_token base_url = os.environ.get("TRACTION_BASE_URL") @@ -35,9 +36,13 @@ def fetch_bearer_token(): response_data = json.loads(response.text) bearer_token = response_data["token"] + if bearer_token is None: + logger.error("Token doesn't exist in response data") + return bearer_token else: - logger.info(f"Error fetcing token: {response.status_code}") + logger.error(f"Error fetching token: {response.status_code}") + logger.error(f"Text content for error: {response.text}") def get_connection(conn_id): @@ -58,10 +63,11 @@ def get_connection(conn_id): response = requests.get(url, headers=headers) if response.status_code == 200: - logger.info("Conneciton fetched successfully") + logger.info("Connection fetched successfully") return json.loads(response.text) else: - logger.info(f"Error fetcing conneciton message: {response.status_code}") + logger.error(f"Error fetching connection message: {response.status_code}") + logger.error(f"Text content for error: {response.text}") return None @@ -99,7 +105,7 @@ def send_generic_message(conn_id, endpoint, message): if response.status_code == 200: logger.info("Message sent successfully") else: - logger.info(f"Error sending message: {response.status_code} {response.text}") + logger.error(f"Error sending message: {response.status_code} {response.text}") def send_message(conn_id, content): @@ -123,7 +129,7 @@ def send_message(conn_id, content): if response.status_code == 200: logger.info("Message sent successfully") else: - logger.info(f"Error sending message: {response.status_code}") + logger.error(f"Error sending message: {response.status_code}") def offer_attestation_credential(offer): @@ -148,7 +154,8 @@ def offer_attestation_credential(offer): if response.status_code == 200: logger.info("Offer sent successfully") else: - logger.info(f"Error sending offer: {response.status_code}") + logger.error(f"Error sending offer: {response.status_code}") + logger.error(f"Text content for error: {response.text}") def get_schema(schema_id): @@ -171,13 +178,14 @@ def get_schema(schema_id): if response.status_code == 200: logger.info("Schema queried successfully") else: - logger.info(f"Error quering schema: {response.status_code}") + logger.error(f"Error querying schema: {response.status_code}") + logger.error(f"Text content for error: {response.text}") return response.json() def get_cred_def(schema_id): - logger.info("get_schema") + logger.info("get_cred_def") base_url = os.environ.get("TRACTION_BASE_URL") endpoint = "/credential-definitions/created" @@ -194,9 +202,10 @@ def get_cred_def(schema_id): response = requests.get(url, headers=headers, params={"schema_id": schema_id}) if response.status_code == 200: - logger.info("Schema queried successfully") + logger.info("Cred def queried successfully") else: - logger.info(f"Error quering schema: {response.status_code}") + logger.error(f"Error querying cred def: {response.status_code}") + logger.error(f"Text content for error: {response.text}") return response.json() @@ -227,7 +236,8 @@ def create_schema(schema_name, schema_version, attributes): if response.status_code == 200: logger.info("Schema created successfully") else: - logger.info(f"Error creating schema: {response.status_code}") + logger.error(f"Error creating schema: {response.status_code}") + logger.error(f"Text content for error: {response.text}") return response.json() @@ -264,6 +274,7 @@ def create_cred_def(schema_id, tag, revocation_registry_size=0): return response.json() else: - logger.info(f"Error creating request: {response.status_code}") + logger.error(f"Error creating request: {response.status_code}") + logger.error(f"Text content for error: {response.text}") return None